GDPR: Your Obligations

Cover Image for GDPR: Your Obligations

| Claire Thomson

The General Data Protection Regulation (GDPR) has been with us since 2018, the latest in a long line of data protection rules aimed at protecting personal information of individuals. The Regulation introduced a significant number of obligations for all organisations handling data of individuals; in this article we recap some of the key obligations all businesses must meet.

A lengthy Regulation, at 99 Articles in 11 Chapters, and 173 Recitals, the original EU GDPR contains numerous obligations on all data controllers and data processors. These were implemented into UK law via the Data Protection Act of 2018, and have been supplemented by several UK-specific requirements.

Some of the key responsibilities of data processors - anyone who processes personal data on a subject - are:

Transparency: As a data processor, an organisation must provided all data subjects (individuals whose data they process) with information on the type of processing taking place, and who is carrying out that processing. Information should be disclosed on why the data is being processed (for example, if they are an employee, you will need data to be able to process their salaries), under what legal basis it is processed (for example, required for the performance of a contract, or compliance with a legal obligation), and how long it is being stored for. Data subjects should also be informed of their rights under data legislation, such as their rights to access the data held about them, and their right to object to some, or all, of their data being held or processed.

Data access requests: One of the rights of a data subject is to request a copy of the data that is held about them, free of charge and in a format that is accessible to them. Such requests must be honoured on a timely basis, with the data provided within one month of the request. Alongside the data provided, the individual must be given information about how their data is processed, and under what legal basis.

Breaches: Even with the most robust systems, there is a chance that a breach of data protection legislation will occur. Where a breach “presents a risk to the affected individuals”, it must be reported to the Information Commissioner’s Office (ICO) via their website, within 72 hours of becoming aware of the breach. Where a breach presents a “high risk to affected individuals”, those individuals must also be informed in a timely manner.

Data protection legislation brings many obligations for businesses. However, the key to meeting many of these requirements is to have well-constructed policies that are regularly reviewed. Such policies, accompanied by regular risk reviews, can assist with identifying and mitigating data protection risks, as well as demonstrating compliance should any regulatory investigation or breach occur.

Further information on UK GDPR can be found on the Information Commissioner’s Office website at https://ico.org.uk.

Disclaimer

The contents of this article are meant as a guide only, and are not a substitute for professional advice. The authors accept no responsibility for any action taken, or refrained from, as a result of the material contained in this document. Specific advice should be obtained before acting, or refraining from acting, in connection with the matters dealt with in this article.

Image of Claire Thomson

About the Author

OmniPro Practice Support Claire's focus is on helping practices achieve on-going best practice compliance, with a particular focus on delivering technical training and providing guidance on the requirements of financial reporting and company law in both Ireland and the UK. Claire is a qualified Chartered Accountant with the Institute of Chartered Accountants of Scotland, and trained with Grant Thornton in Belfast. She spent 5.5 years in corporate audit, before moving to Grant Thornton’s risk & compliance team, where she spent 6 years supporting the all-Ireland practice as their UK financial reporting subject matter expert. As a member of our Practice Support Team, Claire’s focus is on helping practices achieve on-going best practice compliance, with a particular focus on delivering technical training and providing guidance on the requirements of financial reporting and company law in both Ireland and the UK. Claire is a qualified Chartered Accountant with the Institute of Chartered Accountants of Scotland, and trained with Grant Thornton in Belfast. She spent 5.5 years in corporate audit, before moving to Grant Thornton’s risk & compliance team, where she spent 6 years supporting the all-Ireland practice as their UK financial reporting subject matter expert.

YOU MAY ALSO LIKE

Cover Image for FAQ - Frequently Asked Questions

FAQ - Frequently Asked Questions

 

What is Per Minute CPD™?  Per Minute CPD ™ allows you to do CPD in smaller chunks, in a wa...

Cover Image for AI: Friend Not Foe

AI: Friend Not Foe

 

Artificial Intelligence (AI) has emerged as a transformative force, one that professionals...

Cover Image for 947 508 Minutes of CPD

947 508 Minutes of CPD

 

Last year, over 947 508 minutes of webinars, video courses and blogs were consumed on CPDS...